ARC Claims UK Ltd. Privacy Notice
Effective Date: October 27, 2021
INTRODUCTION
Who We Are
ARC Claims UK, Ltd. (collectively, “ARC UK,” “we,” “our,” or “us”) provides third-party claims management handling services for liability and property damage claims with a specialized focus for the trucking industry. We handle claims in the UK, Europe, the Middle East. ARC Claims UK, Ltd. is a subsidiary of ARC Claims Management, Inc., which provides global claims management handling services for liability and property damage claims.
Controller Contact Information
We are the controller for the processing of personal data under this Privacy Notice. Our address is: ARC Claims UK, Ltd., 6th Floor One London Wall London EC2Y 5EB.
Your privacy and the protection of your personal information is important to us. This Privacy Notice applies to our collection of personal data in connection with our services rendered in the United Kingdom (“UK”) and European Union (“EU”), whether the personal data is collected directly from you or shared with us by another person or organization. This Privacy Notice sets out information about our privacy practices with regard to the collection of your personal data, and your rights.
Data Protection Laws
ARC UK is subject to the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and GDPR as incorporated into the law the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (the “UK GDPR”). Unless otherwise indicated, references in this Privacy Notice to GDPR include the UK GDPR. In addition, the terms personal data, controller, processor, data subject, consent, recipient, third party, processing, and profiling have the same meanings given to them under GDPR. “Services” means our claims management services, including services provided or obtained by means of ARC UK’s website at (insert ARC UK website), our mobile applications (“App” or “Apps”), our portals, and/or other services that we provide. “You” means anyone who contacts or engages us, uses our Services, submits a claim that we handle, or applies for employment with us.
Specific situations and types of personal data we may process
You may expand the section(s) below to see information about how we processes your personal data.
Clients and Their Officers, Employees, Contractors, or Service Providers
We may process certain personal data about the officers, employees, service providers or contractors of clients who employ our claims handling services. See more …
- Types of personal data we collect. We may collect and process your personal data for the purpose of providing services to your organization and for other purposes related to that purpose (for example, to issue invoices for those services). We may obtain this personal data directly from you and through our communications with your organization. Sometimes, we may obtain personal data about you from third parties (for example, your organization may provide your contact details) or public sources (for example, we may obtain data about your directorships from an online company search). The information we collect includes your name, position, address, contact details and business details. We may also collect data on the industry in which your organization operates and your business and personal interests. In some countries, if we are providing services to you, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.
In the course of our claims handling services for a matter involving our client, we also may collect other personal data about you. We discuss this further below under “Claims Handling.”
Purposes of processing and legal basis for processing. We will process your personal data for the purposes and legal basis under the GDPR below.
| Purpose of processing | Legal Basis of Processing |
|---|---|
| To provides claims management handling services to your organization and to fulfill administrative tasks related to our services (such as to receive claims and invoice your organization). | To fulfill our contract with you. |
| For compliance with our legal obligations or rights under applicable UK, EU or EU member state law, including responding to legal and regulatory requests and court orders. | To comply with our legal obligations. |
| To manage and develop our relationship with you and your organization, including to send you communications regarding our services. | Our legitimate interests, set forth below. |
| To comply with legal or regulatory obligations outside of the EU or UK, including to prevent fraud or harm to ourselves or others. | Our legitimate interests, set forth below. |
Recipients or categories of recipients. We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our operations and business. We also may disclose your personal information to officers and employees of ARC Claims Management, Inc. in connection with the rendering of claims management handling services. However, we will ensure that all such service providers, suppliers, or processors are subject to obligations not to use or disclose that data.
In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety. In the event that ARC UK is involved in a merger, acquisition, transfer of control, bankruptcy, reorganization or sale of assets, or diligence associated with such matters, we may include or transfer the information described in this Privacy Notice as part of that transaction.
Retention period. ARC UK retains personal data only for as long as it has a legitimate purpose to do so. We may need to retain personal data for commercial and legal purposes. How long we may need to retain personal data for these purposes will depend on the specific personal data. ARC UK generally retains claims documentation and matter files for 6 years after the end of the matter, in case a dispute or regulatory inquiry arises in relation to the matter. Once we no longer have a legal or commercial reason to retain personal data, we will securely delete or destroy it.
Requirement to provide personal data. As a client, it is mandatory to provide us with some basic personal data such as your name and contact details. If you do not provide this data, we will be unable to provide services to you. In some countries, we are required by law to collect certain personal data about you. If you do not provide this data, we will be unable to provide services to you. It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the services we can provide may be limited or may not take into account your particular circumstances.
Claims Handling: Natural persons involved in or connected with a claim against a client
In the course of handling and managing our clients’ claims, we may process certain personal data about persons who are involved in, have alleged, or otherwise are connected with a claim asserted against our clients. See more …
Types of personal data we collect. The types of personal data we collect and process depends on the type of claim and what is necessary for and relevant to the claim. This may include personal data of claimants, witnesses, investigators, experts, advisors and consultants, as well as our clients’ officers, employees, contractors, drivers, agents, other persons who are connected with our client, and persons who are connected with other parties involved in the claim. For example, when handling a claim, we may process personal data about the claimant, family members of the claimant, witnesses to the claim, our client’s employee or contractor involved with the claim, and experts retained to evaluate and assess details involving the claim, including alleged damages.
Basic personal data we collect and process includes names, addresses, contact details and job/business details, your driver’s license (if you are a driver for our client or involved in an incident as a driver), month and year of birth, your location and geolocation at the time of the incident or in connection with a claim, alleged injuries or damage, pictures, images, or recordings regarding the claim, and financial information (such as wages, lost earnings and business records). If you are making claim for bodily injury, we may collect health-related information from you, such as medical records and medical reports, as well an insurance information. The personal data we collect may also include special categories of personal data if relevant to a matter, such as health and medical information for a bodily injury claim.
Depending on the circumstances, we may obtain this personal data directly from you, or from third parties or public sources. Third parties form whom we may collect personal data includes investigators, doctors, experts, insurers, witnesses and other parties involved in the claim. We may collect personal data from public sources including social media, company records, the land registry, insurance industry databases, and credit reporting agencies.
We may collect certain information from you via automated means when you visit our Website, use our App or portal, or otherwise submit information to us, including your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, geolocation, and information about how and when you use our Apps or portals. We also collect information through cookies and similar technologies (see our Cookie Policy below).
If you use our App to report a claim, we may request access or permission to and track location based on your mobile device. We also may request access or permission to certain features from your mobile device, including your mobile device’s camera, microphone, sensors, blue tooth, social media accounts, storage, SMS messages, reminders, and other features. We automatically may collect device information (such as your mobile device ID, model and manufacturer), operating system, version information and IP address.
Purposes of processing and legal basis for processing.We will process your personal data for the purposes and legal basis under the GDPR below.
| Purpose of processing | Legal Basis of Processing |
|---|---|
| To provides claims management handling services to our clients and to fulfill investigatory and settlement-related tasks related to claims made against our clients, including gathering evidence, assessing alleged damages, the issuance of payments. | Our legitimate interests, set forth below. |
| To conduct investigations and analyses of claims, including potential tracing of people connected with the claim, conducting background research on claimants, or determining whether a claim is fraudulent. | The legitimate interests of our clients and the public interest in administering claims in an efficient manner, and identifying potentially fraudulent claims and helping prevent insurance fraud. |
| To engage in your services or your organization’s services and for other purposes related to that purpose (for example, to pay your invoices). | Necessary to fulfill the contract between us and you or your organization. |
| To add your information to our database or contacts of experts, contractors, and service providers. | Our legitimate interests, set forth below. |
Recipients or categories of recipients. We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. We will ensure that all such suppliers are subject to obligations not to use or disclose that data. We may disclose your personal data to our client in the course of providing services to them.
We may disclose your personal data to third parties who provide legal and non-legal services which assist us with handling a claim, such as legal counsel and barristers, investigators, experts, or translators. We may disclose your personal data to third parties who are involved in the claim, such as the claimant. For example, we may disclose the name of a damages expert, and his or her organization, to a claimant if there is a dispute over the amount of damages sustained in a claim.
We may disclose your personal data to public authorities or registrars if necessary to handle or investigate a claim. In some countries, we are required by law to provide your personal data to government authorities. In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety. In the event that ARC UK is involved in a merger, acquisition, transfer of control, bankruptcy, reorganization or sale of assets, or diligence associated with such matters, we may include or transfer the information described in this Privacy Notice as part of that transaction.
Retention period. ARC UK retains personal data only for as long as it has a legitimate purpose to do so. We may need to retain personal data for commercial and legal purposes. How long we may need to retain personal data for these purposes will depend on the specific personal data. ARC UK generally retains claims documentation and matter files for 6 years after the end of the claim, in case a dispute or regulatory inquiry arises in relation to it. Once we no longer have a legal or commercial reason to retain personal data, we securely delete or destroy it.
Requirement to provide personal data. To provide services to our organization, and to enable us to handle claims and provide services to our clients, it is mandatory to provide us with some personal data such as your name, contact details, your background, employment history, and areas of expertise. If you do not provide this data, we will be unable to engage your services. It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and/or services your organization can provide to us may be limited and insufficient. It may affect our ability to assess your suitability to provide us services.
In some countries, we are required by law to collect your identification or business number and/or view or take a copy of your passport or identity documents. If you do not provide this data, we will not be able to act for your organization.
Employment with ARC UK
If you seek employment with us, we may collect personal data about you. See more …
Types of personal data we collect. We collect and process personal data necessary to consider you for hiring related purposes and, if you are hired, for employment-related purposes. Such personal information includes your name and contact information, unique government-issued identification numbers. We may collect financial information, such as banking information, to help us pay you. We may collect special categories of personal information about you. We may be required by law to collect certain identifying information about you, including your name, address, and to view or take a copy of your passport or identity documents.
Purposes of processing and legal basis for processing. We will process your personal data for the purposes and legal basis under the GDPR below.
| Purpose of processing | Legal Basis of Processing |
|---|---|
| To consider your employment for hiring-related purposes. | Our legitimate interests, set forth below. |
| To employ you and process your personal data for employment-related purposes. | To prepare for and fulfill our employment contract with you. |
| Processing of other personal data for employment-related purposes. | Our legitimate interests, set forth below. |
| To process your personal data for employment-related purposes, as required by UK and EU law. | To comply with our legal obligations. |
Recipients or categories of recipients. We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. We will ensure that all such suppliers are subject to obligations not to use or disclose that data. We may disclose your personal data to our client in the course of providing services to them.
We may disclose your personal data, such as your name and business contact information, to third parties like our clients, claimants, and our service providers (i.e., investigators, experts, legal counsel) for the administration and operation of our claims handling services. For example, we may disclose your first name and a business email to a claimant for whose claim you have been assigned as the claims handler so that the claimant may contact you to provide you with necessary information about his or her claim.
In some countries, we are required by law to provide your personal data to government authorities. In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety. In the event that ARC UK is involved in a merger, acquisition, transfer of control, bankruptcy, reorganization or sale of assets, or diligence associated with such matters, we may include or transfer the information described in this Privacy Notice as part of that transaction.
Retention period. ARC UK retains personal data only for as long as it has a legitimate purpose to do so. We may need to retain personal data for commercial and legal purposes. How long we may need to retain personal data for these purposes will depend on the specific personal data. ARC UK generally retains claims documentation and matter files for 6 years after the end of your employment, in case a dispute or regulatory inquiry arises. If you seek employment with us and we do not hire you, we will retain your information for a shorter period pursuant to applicable law. Once we no longer have a legal or commercial reason to retain personal data, we securely delete or destroy it.
Requirement to provide personal data. To consider you for employment and/or to employ you, it is mandatory to provide us with some personal data such as your name, contact details, your background, employment history, and areas of expertise. If we hire you, we may be required by law to collect certain identifying information about you, including your name, address, and to view or take a copy of your passport or identity documents. If you do not provide this data, we will be unable to consider you for employment. It is optional to provide most other personal data. However, in many cases, if you do not provide that data, our ability to assess your suitability for employment, or if we hire you, our ability to provide you with job-related conveniences or benefits may be limited.
OUR Legitimate interests
As noted above, in some situations, we may process your personal data on the basis of our legitimate interests. ARC UK provides third-party claims management handling services for liability and property damage claims in in the UK, EU, and the Middle East. ARC UK also is a subsidiary of ARC Claims Management, Inc., which provides global claims management handling services. As such, we have a legitimate interest in:
- providing claims management handling and investigatory services for liability and property damage claims made against its clients for its clients, ensuring that our services are of high quality and comply with applicable laws and regulations;
- developing and growing our business and relationships, understanding the needs of our clients and prospective clients, and providing insights and commentary in the provision of our services; and
- employing and managing our employees and contractors.
Kennedys will only rely on those legitimate interests to process personal data where: (i) the processing is necessary for the purposes of those for the purposes of those legitimate interests; and (ii) those legitimate interests are not overridden by the data subject’s interests or fundamental rights and freedoms.
SECURITY
We employ reasonable physical, technical, and administrative safeguards designed to protect the confidentiality, integrity, and availability of personal data we collect, including firewall barriers, SSL encryption techniques, and authentication procedures. These safeguards vary depending upon a variety of factors including the sensitivity of the information we collect and use. Despite all reasonable practices, no security method is infallible. We cannot guarantee the security of the networks, systems, servers, devices, and databases we operate, that are operated on our behalf, or which you employ to access our Services. Nor can we guarantee the security of third-party networks, including cellular networks and storage servers, used in connection with our Services.
International Transfers
We may transfer your personal data to other countries outside the European Economic Area (“EEA”) which do not have protections similar to GDPR in place regarding your personal data, including the United States. In that regard, ARC UK’s central servers currently are located in the UK. However, we may engage claims handlers from ARC Claims Management, Inc., located in the US, to assist with the provision of our claims handling services when needed. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. We also have entered into a Data Transfer Agreement with ARC Claims Management, Inc., which includes the execution of Standard Contractual Clauses.
Your Affirmative Consent
By submitting your personal data to us, you acknowledge these transfers and affirmatively consent to them. In the case of clients, their contractors, and claimants, all whom submit claim-related information to us, you acknowledge and affirmatively consent to the transfer of your data outside of the EEA. In the case of service providers, contractors, and other third parties whom we hire to assist us for the handling of a claim, you acknowledge and affirmatively consent to the transfer of your data outside of the EEA.
Automated decision-making including profiling
ARC UK does not engage in any automated decision-making or profiling.
Cookies, Web Beacons, & Google Tools
Cookies and Web Beacons
Our Website uses cookies and similar tracking technologies to access or store information. Cookies are small data files sent to your computer on the basis of the information that we have collected about your visit. You may refuse to accept browser cookies by activating the appropriate setting on your browser. Kindly note that if you select such a setting, you may be unable to access certain parts of our Website. Certain features of our Websites may use locally-stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies.
Our Website also may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages for website statistics (for example, recording the popularity of certain website content and verifying system and server integrity). We may use cookies and web beacons to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). The information we collect automatically may include personal information or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including to recognize you when you return to our Website and/or to improve the experiences of users of our Website.
Your web browser will have an option you may select that will block cookies. Below are links to information about popular web browsers and how to block cookies using them:
https://support.google.com/chrome/answer/95647?hl=en&p=cpn_cookies
https://support.microsoft.com/en-gb/help/4027947/microsoft-edge-delete-cookies
Google Analytics
We use Google Analytics, a web analytics tool provided by Google, Inc. that helps website owners understand how visitors engage with their websites. We can view a variety of reports about how visitors interact with our Website, so we can improve it. Google Analytics collects information using cookies and IP addresses, and it reports website trends without identifying individual visitors. In the event a visitor to our Website submits contact information to Google, Google may then associate such information with the applicable IP address to enable us to see that visitor’s specific interactions with our Website. You can opt-out of Google Analytics by installing the Google Analytics Opt-out Browser Add-On. For information about and to install Google Analytics Opt-out Browser Add-on, click here:
Do Not Track Signals
Certain web browsers provide users with an option by which you may have your browser send a “Do Not Track” signal to websites that you are visiting, advising the recipient websites that you do not want to have your online activity tracked. However, the way browsers communicate such “Do Not Track” signals is not yet uniform and, accordingly, our Website does not take any action in response to such signals. In the event a final standard is developed and accepted, we may reassess how we should respond to such signals.
OUR COMMUNICATIONS WITH YOU
We will communicate with you in relation to a claim we are handling. We may communicate with you by phone, email, text, or mail. Where required by law, we will obtain your consent to do so.
We may send you marketing communications. Where required by law, we will obtain your consent to do so. By providing use with your contact information, including your mobile phone number and/or email address, and, where permitted, affirmatively clicking the box allowing us to contact you by these means, you are confirming and authorizing our ability to contact you by texting, phone, or other specified means. You can opt out, where applicable, or by following the instructions provided with our communications, for example, in the email message we send if we communicate with you by email. If you opt-out of such communications, we still will send you communications about a claim we are handling for you.
We may request to send you push notifications in connection with our Apps. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
You also may opt-out or change your preferences by providing opt-out instructions – e.g. sending an email or postal mail as provided below:
Postal Mail: ARC Claims Management, Inc., C/O ARC Claims UK Ltd. One Cherry Hill, Suite 630, Cherry Hill, NJ 08002
Email Privacy: privacy@arcclaims.com
Be sure to include the contact information we are using to communicate with you, such as your email address, and let us know the specific types of communications you no longer wish to receive.
Your Data Rights
If you are located in the EU or the UK, you have certain rights in relation to your personal data as follows:
Access: You have the right to obtain access to and a copy of any personal data we hold about you. You also have the right to find out whether your personal data has been transferred outside the EU and any safeguards relating to this transfer.
Rectification: If you consider that any personal data we hold about you is incorrect or incomplete, you have the right to ask us to correct or complete that personal data.
Erasure: In certain circumstances, you have the right to ask us to erase any personal data we hold about you.
Restriction of processing: In certain circumstances, you have the right to ask us not to process your personal data for certain purposes.
Objection to processing: In certain circumstances, you have the right to object to us processing your personal data for certain purposes.
Data portability: In certain circumstances, you have the right to request a copy of your personal data in a structured, commonly used and machine-readable format.
Withdrawing consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time.
For more information about these rights, visit https://ico.org.uk/for-the-public/.
To make a request pursuant to these rights, contact our Data Protection Officer pursuant to the information provided above. If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.
Questions And How to Contact us
Data Protection Officer Contact Information
If you have any questions about this Privacy Notice or about our personal data processing practices, or if you wish to exercise any of your rights as a data subject, you may contact ARC UK’s Data Protection Officer at privacy@arcclaims.com. You also may write ARC UK as follows:
ARC Claims Management, Inc.
C/O ARC Claims UK, Ltd. – Data Protection Officer
One Cherry Hill, Suite 630,
Cherry Hill, NJ 08002
USA
If you have a complaint about our personal data processing practices, you should first contact ARC UK’s Data Protection Officer. If you are not satisfied with our response, you have the right to lodge your complaint with the following supervisory authorities:
United Kingdom (UK GDPR)
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: +44 (0) 303 123 1113
Email: casework@rco.org.uk
Website: https://ico.org.uk
European Union (GDPR)
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Telephone: +353 578 684 800
Website: https://www.dataprotection.ie/